FINRA Small Firm Cybersecurity Checklist

The Financial Industry Regulatory Authority, or FINRA, has made a document available which financial and investment firms are going to want to pay close attention to. So that you may better assure your ability to remain in FINRA compliance, you’ll want to download and use the FINRA small firm cybersecurity checklist provided on their website.

Ready For A NewIT Company ForYour Silicon Valley Organization?

KalioTek™ secures business from cyber threats and ensures maximum performance of all IT resources.

Book A Complimentary Consultation With KalioTek™ Today.

***KalioTek™ Is A Security First Company & Your Private Contact Information Is 100% Safe With Us.

The Financial Industry Regulatory Authority, or FINRA, has made a document available which financial and investment firms are going to want to pay close attention to. So that you may better assure your ability to remain in FINRA compliance, you’ll want to download and use the FINRA small firm cybersecurity checklist provided on their website.

Cybersecurity under FINRA compliance obligations is broadly defined as the protection of investor and firm information from compromise through the use—in whole or in part—of information technology.

Compromise refers to a loss of data confidentiality, integrity or availability. The FINRA checklist is provided to assist small member firms with limited resources to establish a cybersecurity program to identify and assess cybersecurity threats, protect assets from cyber intrusions, detect when their systems and assets have been compromised, plan for the response when a compromise occurs, and implement a plan to recover lost, stolen or unavailable assets.

This checklist is not exhaustive, and firms should address their cybersecurity program in a way that best suits their business model. There is no one-size-fits-all cybersecurity program.

Firms may choose to develop or use their own checklist, borrow sections from this checklist to include in their own checklist, or use a different resource (e.g., SIFMA’s small firm checklist, NIST guidance, or the Securities and Exchange Commission’s guidance). Firms that use this checklist must adapt it to reflect their particular business, products and customer base.

Please note: Use of this checklist does not create a so-called “safe harbor” with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements.

Methodology

Using the FINRA small firm cybersecurity checklist, firms will identify and inventory their digital assets, assess the adverse impact to customers and the firm if the assets were compromised, identify potential protections and processes that secure the assets, and then make a risk-based assessment considering their resources, the consequences of a potential breach and available protections and safeguards.

Firms may decide to remediate or address some high-level risk impact security vulnerabilities or they may decide that the threat is a low-level risk impact which they can accept. Firms should articulate why they decided to remediate or chose not to remediate.

Completing the FINRA small firm cybersecurity checklist will require time and effort from senior executives at your firm. At a minimum, firms should know the assets that are vulnerable to a cyber-incident, and they should assign a risk level to these assets. Senior executives will then be informed on how best to allocate firm resources to protect the firm’s and customers’ information. See below for questions.

Assistance

At small firms, one person may be responsible for operations, compliance and legal functions including the cybersecurity program, and he or she may not understand the technology at issue or terms used in the FINRA small firm cybersecurity checklist. In this instance, the firm may consider working with outside technology help (where KalioTek™ comes in), industry trade associations or other peer groups, their vendors or their FINRA Regulatory Coordinator to understand the information discussed in this checklist. Many small firms rely on clearing firms and vendors to maintain customer accounts and transact business. but these small firms should not assume that others are responsible for preventing or reacting to a cyber-incident.

Using Excel

“This checklist is in Excel and uses Excel formulas. The person completing this checklist should have a basic knowledge of Excel. If no one at the firm has these skills, please send an email to memberrelations@finra.org to schedule a call. There are also many helpful video tutorials on Excel available on YouTube.

Please note: If you need to insert a new row in Section 1, you will also need to insert rows on the other Sections and copy the pre-existing formulas into the newly inserted cells.”

Important FINRA Small Firm Cybersecurity Checklist Questions

Please review the five questions below and based on your answers, you should complete the sections (12 tabs total) applicable to your business. The five core sections of the checklist follow the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.

4) Do you have assets that if lost or made inoperable would impact your firm’s operations (e.g., trading or order management systems)?

If you answer yes to question 4, you will fill out:

Section 5 – Protect: Systems Assets

5) If your systems, PII or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct business?

If you answer yes to question 5, you will fill out:

Section 12 – Recovery

FINRA Small Firm Cybersecurity Checklist Resources include:

Helpful Links

General Application

NIST framework

FINRA’s Report on Cybersecurity Practices

SANS Critical Security Controls for Effective Cyber Defense

And, there is much more to the FINRA small firm cybersecurity checklist, as you will see when you download and adapt it as part of your financial or investment firm’s cybersecurity guidelines.

We can guide you in fully understanding and utilizing everything in this document.

Need Consultancy on Understanding the Small Firm Cybersecurity Checklist from FINRA?

If so, the KalioTek™™ team provides the widest range of possible IT services in the San Francisco Bay Area. What we really deliver is peace of mind for business executives who want to know this domain’s IT security and performance is being managed by a competent professional team, allowing them to focus on their business priorities.